Privacy Policy
We are a small team building VexaHub. We collect as little data as possible, store nothing we do not need, and will never sell or share your data with third parties. This document explains what we collect, why, and what you can do about it.
Contents
Data we collect
We only collect data that is strictly necessary to run the service.
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Account creation, login, important notifications | Contract performance |
| Encrypted file data | Core service - storing your files | Contract performance |
| Billing information | Processing payments for paid plans | Contract performance / legal obligation |
| Technical logs (IP, timestamp) | Security, abuse prevention | Legitimate interest |
Your file contents, file names, and encryption keys are end-to-end encrypted. We cannot read them and we do not try to.
How we use your data
Your data is used only for the following purposes:
- Providing and maintaining the VexaHub service
- Sending transactional emails (account verification, password reset, billing)
- Detecting and preventing abuse or unauthorized access
- Complying with applicable legal obligations
We do not use your data for advertising, profiling, or any purpose beyond what is listed above. We do not share your data with third parties except payment processors and hosting providers strictly necessary to operate the service, all of which are EU-based.
For information about cookies, see our cookie policy
Hosting & data location
All data is stored on servers located in Germany, operated by independent European infrastructure providers. No data is transferred outside the European Union. We do not use any US-based service providers.
VexaHub is not subject to the US CLOUD Act. We are not incorporated in the United States and have no legal presence there.
Data retention
We keep your data for as long as your account is active. When you delete your account:
- Your encrypted files are permanently deleted from our servers within 7 days
- Your email address is removed immediately
- Billing records are retained for 10 years as required by French accounting law
Inactive accounts
An account is considered inactive after 2 years without login. After this period:
- We send a warning email to the address associated with your account.
- From that email, you can either log in to your account, or click a confirmation link to keep your account active without logging in. In both cases, the timer resets for another 2 years.
- If you do not respond within 3 months, your account and all associated data will be permanently deleted, under the same conditions as a voluntary deletion described above.
- Billing records are retained for 10 years as required by French accounting law
For accounts transitioning from a paid subscription to the free plan, a minimum grace period of 6 months applies from the date of subscription end before the inactivity policy takes effect, regardless of last login date.
We enforce this policy to comply with the GDPR data minimisation principle, and to avoid retaining personal data indefinitely without a valid purpose. Paid accounts with an active subscription are not subject to automatic deletion.
Your rights (GDPR)
As a person whose data we process, you have the following rights under the GDPR:
- Right of access - You can request a copy of all personal data we hold about you.
- Right to rectification - You can ask us to correct inaccurate data.
- Right to erasure - You can ask us to delete your account and all associated data.
- Right to portability - You can request your data in a machine-readable format.
- Right to restriction of processing - You can ask us to temporarily restrict the processing of your data in certain circumstances.
- Right to object - You can object to processing based on legitimate interest.
You also have the right to lodge a complaint with the French data protection authority, the CNIL, if you believe your data is being processed unlawfully.
VexaHub acts as data controller for the personal data described in this policy. No Data Protection Officer (DPO) has been appointed. For any data-related request, contact us via the contact page.